Privacy statement

This is an overview of how Kent County Council makes sure you understand how we use your personal information. The law requires us to provide information about who we are, how to contact us, the purpose for which your personal data is used and who we share it with.

To understand how your own personal information is processed refer to any personal communications you have received, check the privacy notices for the service or contact the service directly to ask about your personal circumstances.

The council provides a range of statutory and other services to local people and businesses and collects personal data for many purposes, so this general statement explains how we make sure you have the information you need at the point it is collected. Each service that collects personal data therefore provides a separate Privacy Notice to explain the purpose and legal basis for that service.

The personal information we collect and use

Information collected by us

Our services either collect personal information directly from you or receive it from third-parties. We only receive your personal data from outside agencies or third- parties where there is a sound legal basis and purpose for doing so.

When gathering and using personal information, we will comply with the data protection principles, as set out in the KCC data protection policy . Depending on the needs of the service and the purpose of processing, we may collect some or all of the following types of information:

Under certain circumstances we may need to collect and process the following special categories of personal data:

medical (physical or mental health details)

racial or ethnic origin

trade union membership

political affiliation

political opinions

offences (including alleged offences)

religious or other beliefs of a similar nature

genetic data or biometric data

sexual orientation

We recognise that personal information concerning criminal convictions and offences is not special category personal data but is a very sensitive type of personal information which can only be shared in narrow circumstances.

Reasons we collect and use your personal information

We may need to use some information about you to:

deliver and manage the services and support we provide to you;

respond to enquiries or complaints

train and manage employees or volunteers who deliver those services;

control spending on services;

monitor the quality of our services; and

research and plan new services

For the Council to be able to process your personal information we need to demonstrate that we have a lawful basis for doing so. Each service is responsible for setting out the purpose and legal basis of their processing of your personal data.

Necessary for the performance of a task carried out in the public interest for the purposes of the prevention, investigation, detection or prosecution of criminal offences

For special category: Necessary for the establishment, exercise or defence of legal claims whenever Courts are acting in their judicial capacity

Promoting the services we provide

a. Identityb. Contactc. Technical

Consent of the data subject

Necessary for the performance of a public task in the public interest

Marketing our local tourism and events

a. Identityb. Contactc. Technical

Consent of the data subject

Necessary for the performance of a public task in the public interest

Carrying out health and public awareness campaigns

a. Identityb. Contactc. Technical

Necessary for the performance of a public task in the public interest

Necessary to comply with a legal obligation

Managing our property

a. Identityb. Contactc. Business activitiesd. Financial

Necessary for the performance of a public task in the public interest

Necessary to comply with a legal obligation

Necessary for the performance of a contract

Providing leisure and cultural services

a. Identityb. Contactc. Special category

Consent of the data subject

Necessary for the performance of a public task in the public interest

For special category: Explicit consent of the data subject to process their special category data

Undertaking surveys, focus groups and/or depth interviews. We do this to help us to understand the needs of our service users and how they feel about the services that we provide.

Where the research relates to Adult Social Care and Health, you will not be contacted if you have opted out under the national data opt-out policy, unless you have specifically given your consent for us to contact you about research.

Necessary for reasons of substantial public interest (necessary for statutory and government purposes and/or to enable equality of opportunity or treatment)

Necessary for archiving purposes, scientific or historical research purposes or statistical purposes

To contact you to ask you to participate in a research survey and/or qualitative research carried out by universities, e.g. as part of a government funded evaluation of the impact of national policies on the quality of public services.

Where the research relates to Adult Social Care and Health, you will not be contacted if you have opted out under the national data opt-out policy, unless you have specifically given your consent for us to contact you about research.

a. Identityb. Contactc. Special categoryd. Commercial services

Necessary for third party legitimate interests for the purpose of facilitating university research

Necessary for the performance of a task carried out in the public interest

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment); or necessary for historical /statistical purposes.

Automated processing - profiling

a. Identityb. Contactc. Special category

Necessary for the performance of a public task in the public interest

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment); or necessary for statistical purposes.

The provision of all commercial services both for staff and public access

We may use your personal information where necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Occasionally it may be necessary to provide certain information to us e.g. for us to provide a service to you or to comply with one of our legal duties. We will let you know if this is the case and the possible consequences of not giving us the information we ask for.

How long your personal data will be kept

We will only hold your personal information for as long as necessary. To work out how long we need to keep your information for we use our retention schedule. You will be informed in the service specific privacy notice of how long your data will need to be kept prior to secure disposal.

Who we share your personal information with

Your personal information may be shared with internal departments or with external partners and agencies involved in delivering services on our behalf. However, we will only share information with organisations who will also comply with appropriate data protection laws. You will be informed in the service specific privacy notice of who your data may be shared with, if at all.

Sharing of information is crucial to the successful delivery of local services. The GDPR specifically recognises that “data protection” should not be an excuse to prevent proper sharing of personal data. The Kent and Medway Information Sharing Agreement (KMSA) provides a framework to enable a number of organisations and public bodies across Kent and Medway to share personal information. The Agreement reflects the requirements of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA 2018).

The following are examples of third parties who we may need to share your information with if appropriate:

family, associates or representatives of the person whose personal data we are processing

current past and prospective employers

healthcare, social and welfare organisations

educators and examining bodies

financial organisations

debt collection and tracing agencies

private investigators

good and service providers

local and central government

ombudsman and regulatory authorities

press and the media

professional advisers and consultants

courts and tribunals

trade unions

political organisations

credit reference agencies

professional bodies

survey and research organisations

police forces including non-home office police forces

housing associations and landlords

voluntary and charitable organisations

religious organisations

students and pupils including their relatives, guardians, carers or representatives

data processors

customs and excise

international law enforcement agencies and bodies

security companies

partner agencies, approved organisations and individuals working with the police,

licensing authorities

healthcare professionals

law enforcement and prosecuting authorities

legal representatives, defence solicitors

police complaints authority

the disclosure and barring service

university students undertaking research as part of their coursework, dissertation or thesis

KCC does not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent.

We only share your information where we have a legal basis to do so, for example where

we take an individual into care; or

the court orders us to do so.

National Data Opt-Out – Health and Adult Social Care Services

We have processes in place for considering requests for data disclosure for purposes beyond direct care which is consistent with national data opt-out policy. Our organisation is compliant with the national data opt-out policy.

Transfer outside of the EEA

We may transfer your information outside of the European Economic Area (EEA). You will be informed in the service specific privacy notice if your information is to be transferred outside of the EEA in this way.

Such countries do not necessarily have the same data protection laws as the United Kingdom and EEA. If we do transfer information outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:

Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA. The European Commission has given a formal decision that the United States does have an adequate level of data protection (within the EU-US Privacy Shield framework).

If you would like further information, please contact us (see our ‘how to contact us’ section below). We will not otherwise transfer your personal data outside of the United Kingdom or EEA.

How we use your information to make automated decisions

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. (e.g. monitoring your online activities or events which trigger actions such as sickness triggering a capability policy and profiling). This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the services we may offer you now or in the future.

We are allowed to use automated decision-making in the following circumstances:

Where we have notified you of the decision and given you 21 days to request a reconsideration.

Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.

In limited circumstances, with your explicit consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on any particularly sensitive personal information we must have either your explicit written consent or it must be justified in the public interest, and we must put in place appropriate measures to safeguard your rights.

Tailoring services

We make decisions about how and where services are delivered by looking at the needs of our services users as a whole, and by understanding as much about them as possible in terms of their demographics (e.g. age, gender, disabilities etc) and lifestyle.

One of the ways that we do this is to create profiles using software that uses your address details to place you in one of a number of groups that describe the social characteristics and lifestyles of the UK population as a whole. These segments have been created by external companies that provide the software that we use. We analyse the profiles of our service users as a whole and compare it to the profile for the Kent population. Carrying out this type of analysis helps us to manage the planning and delivery of our services more effectively.

No decisions about an individual’s access to a service are made using these tools, as each service uses its own tailored assessment processes where these are required. We do not share the profiles of individual service users with any other organisation or business other than those acting as data processors on our behalf.

Market and social research surveys and qualitative research

To help us to understand the needs of our service users, we will from time to time carry out market research surveys and qualitative research (such as Focus Groups and Depth Interviews) amongst our service users, their families, and/or the adults who are responsible for them. Carrying out market research helps us to make better decisions about what services to deliver and where they are needed, by understanding the needs of our service users. You will be informed in the service specific privacy notice if this applies to your personal information.

We may contact you to ask you whether you are willing to participate in a market research survey and/or qualitative research. Your decision about whether or not to participate in the research will not affect the services that you receive from Kent County Council. We may ask a market research agency and/or independent qualitative researcher to undertake the research on our behalf. Any third party that we use (including online survey tools such as Snap Surveys) will be acting on our behalf as our data processor and will adhere to the data protection regulations. Your details will not be used for direct marketing purposes.

We are sometimes contacted by University students wanting to carry out research amongst our service users and/or staff, as part of their coursework, dissertation or thesis. All such applications are subject to our Research Governance Approval process, which includes approval from the relevant ethics committees (such as the Health Research Authority) where appropriate.

Our website

We collect certain information or data about you when you use kent.gov.uk. We collect:

questions, queries or feedback you leave, including your name, postcode and email address

details of which version of web browser you used and other information about your device

information on how you use the site, using cookies and page tagging techniques.

For more information on cookies and related technologies used on this site, and how to disable them read our cookie policy.

The data we collect on this site can be viewed by authorised people in Kent County Council as well as our suppliers, to:

improve the site by monitoring how you use it

gather feedback to improve our services

respond to any feedback you send us, if you’ve asked us to

allow you to access council services and make transactions

provide you with information about local services if you want it

Storing your website data

We store your data on secure servers in the EEA. Sending information over the internet is generally not completely secure, and we can’t guarantee the security of your data while it’s in transit. Any data you send is at your own risk. We have procedures and security features in place to keep your data secure once we receive it.

Links to other websites

Kent.gov.uk contains links to other websites. This privacy statement only applies to kent.gov.uk and doesn’t cover other services and transactions that we link to. These services will have their own terms and conditions and privacy policies. If you go to another website from this one, read the privacy policy on that website to find out what it does with your information.

Online forms (also known as “e-forms”)

In order to provide certain services or activities, we need to be able to collect information from individuals and organisations. We use software provided by Firmstep, Snap, and GovMetric to create these online forms. These companies are acting as data processors for Kent County Council and only process personal information in line with our instructions. Each individual form will have its own Privacy Notice.

Our contact centre

To help deal with incoming telephone contact efficiently, KCC has a contact centre. All calls are recorded for training and monitoring purposes and to help us deal with customer feedback. Recordings are stored securely for up to 12 months then permanently deleted.

The information we need to take from you when you call us will depend on the reason for your call and what you are trying to get done. The range of information we may need to collect from you is set out in the 'Personal information we collect and use' section above. You should also read the privacy notice relating to the service that you are calling us about.

All our contact centre advisors are employees of Agilisys, which operates the Contact Centre on our behalf. They are based at County Hall in Maidstone. Agilisys also run our Out of Hours Emergency Contact Service (evening, weekends and public holidays) and this is provided through Elevate East London from their centre in Barking.

Only authorised members of staff have access to the call recordings. Call recordings may also be shared with a limited number of authorised members of KCC staff, as part of our quality monitoring processes and complaints handling procedures.

Emails to central mailboxes

KCC’s central email address (county.hall@kent.gov.uk) is monitored and managed on KCC’s behalf by Agilisys, based at County Hall. Only authorised members of staff (Agilisys and KCC) have access to the emails. All emails are managed from with KCC’s secure ICT Network.

The information you provide in any email you send us will depend on the reason for your enquiry and what you are trying to get done. You should read the privacy notice relating to the service that you are emailing us about.

Reliance on UK exemptions from GDPR

KCC may process information in reliance on the exemptions under the Data Protection Act where allowed (for example where the personal data is processed and a claim to legal professional privilege would apply; in relation to the provision of confidential references; or where personal data is processed for the purposes of management forecasting (to the extent that such activity would be prejudiced by advance notification).

Your rights

Under the GDPR you have rights which you can exercise free of charge that allow you to:

know what we are doing with your information and why we are doing it

ask to see what information we hold about you (known as a Subject Access Request)

ask us to correct any mistakes in the information we hold about you

object to direct marketing

make a complaint to the Information Commissioners Office

where we process information based on your consent, you have the right to withdraw your consent at any time

Depending on our reason for using your information you may also be entitled to:

ask us to delete information we hold about you

have your information transferred electronically to yourself or to another organisation

object to decisions being made that significantly affect you

object to how we are using your information

stop us using your information in certain ways

We will always seek to comply with your request, however, we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

You may not, however, have the right to object to the Council using your personal data for statistical purposes where it is necessary for the performance of a public task carried out for reasons in the public interest.

If you would like to exercise a right, please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

Emails that we send to you or you send to us may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedule. If KCC needs to email sensitive or confidential information to you, we will perform checks to verify the correct email address and may take additional security measures. If sending us such information we recommend using our secure online forms where provided, or the postal service.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Contact

Please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of these rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.